The Electronic Frontier Foundation (EFF) has been at the forefront of the digital rights battle since 1990, defending the right to free speech and on-line privacy. Still entrenched in that battle, a few months ago the EFF unveiled a new Web site titled the Surveillance Self-Defense Project (SSD). Its entire purpose is to provide relevant information about surveillance:

"The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.

Surveillance Self-Defense exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?"

Risk Management

Although the EFF is focusing on what many call "big brother" surveillance, I find that their information is relevant for maintaining information security against all threats. One area that the EFF has focused on is risk management and that resonates with what TechRepublic's IT Security host Chad Perrin has been championing for a long time. The EFF goes on to say that security means making trade offs to manage risks:

"Security isn't having the strongest lock or the best anti-virus software, security is about making trade offs to manage risk, something we do in many contexts throughout the day.

When you consider crossing the street in the middle of the block rather than at a cross-walk, you are making a security trade-off: you consider the threat of getting run over versus the trouble of walking to the corner, and assess the risk of that threat happening by looking for oncoming cars.

Your bodily safety is the asset you're trying to protect. How high is the risk of getting run over and are you in such a rush that you're willing to tolerate it, even though the threat is to your most valuable asset?"

It's a simple example. Yet it has to hit home, putting the entire process into perspective. To explain further, the EFF divides risk management into four distinct yet related concepts:

An asset is something you value and want to protect. Anything of value can be an asset, but in the context of this discussion most of the assets in question are information.

A threat is something bad that can happen to an asset and what you are protecting against.

Risk is the likelihood that a particular threat against a particular asset will actually come to pass, and how damaged the asset would be.

An adversary, in security-speak, is any person or entity that poses a threat against an asset.

It all comes together

The entire point of risk management is to determine which threats present the greatest risk to the assets being protected. The EFF Web site further explains:

"Putting these concepts together, you need to evaluate which threats to your assets from which adversaries pose the most risk, and then decide how to manage the risk. Intelligently trading off risks and costs is the essence of security. How much is it worth to you to manage the risk?"

The EFF also points out that data needs protecting in two distinctly different venues: Data stored on the computer and data on the wire.

Defensive Technology

After explaining risk envelopes, the SSD Web site offers technical information on how to provide security for the data, regardless of whether it's resides on the computer or in transition to a remote endpoint. The major areas touched on are:

"Someone's going to call it a threat to national security before the day is out. ... Phooey."

That was on 03 Mar 2009 and the Web site is still there there today. After investigation, do you think the SSD Web site makes it more difficult for the government to do their job? Is it something that governments just need to deal with because citizens have the right to privacy? What do you think?

Final thoughts

As I read through the Web site I had one of my daah moments: Security preparations have to be preemptive, otherwise they're totally worthless. That means we don't know who we're protecting ourselves from initially. So controversial or not, enabling the security practices described on the SSD Web site could be considered useful protection against all digital intruders. How's that for justification?

TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.